Update Helm release cert-manager to v1.9.0 - autoclosed
This MR contains the following updates:
Package | Update | Change |
---|---|---|
cert-manager | minor |
v1.8.2 -> v1.9.0
|
Release Notes
cert-manager/cert-manager
v1.9.0
Changes since v1.8.2
Changes by Kind
Feature
- Added support for pulling both AWS access key IDs and secret keys from Kubernetes secrets (#5194, @Compy)
- Adds
make clean-all
for starting a fresh development environment andmake which-go
for getting go version information when developing cert-manager (#5118, @SgtCoDFish) - Adds
make upload-release
target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#5205, @SgtCoDFish) - Adds a new alpha Prometheus summary vector metric
certmanager_http_venafi_client_request_duration_seconds
which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query:certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"}
will show the average latency of calls to the Venafi certificate request endpoint (#5053, @irbekrm) - Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#5142, @AcidLeroy)
- Adds new LICENSES format and ability to verify and update licenses through make (#5243, @SgtCoDFish)
- Adds private key Ingress annotations to set private key properties for Certificate (#5239, @oGi4i)
- Adds the
cert-manager.io/revision-history-limit
annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#5221, @oGi4i) - Adds the
literalSubject
field for Certificate resources. This is an alpha feature, enabled by passing the flag--feature-gates=LiteralCertificateSubject=true
to the cert-manager controller and webhook.literalSubject
allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#5002, @spockz) - Change default build dir from
bin
to_bin
, which plays better with certain tools which might treatbin
as just another source directory (#5130, @SgtCoDFish) - Helm: Adds a new
namespace
parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#5141, @andrewgkew) - Helm: Allow for users to not auto-mount service account tokens see also k/k#57601 (#5016, @sveba)
- Use multiple retries when provisioning tools using
curl
, to reduce flakes in tests and development environments (#5272, @SgtCoDFish)
Bug or Regression
- CertificateRequests controllers must wait for the core secrets informer to be synced (#5224, @rodrigorfk)
- Ensure that
make release-artifacts
only builds unsigned artifacts as intended (#5181, @SgtCoDFish) - Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#5136, @craigminihan)
- Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#5212, @jahrlin)
- Fixed release artifact archives generated by Make so that a leading
./
is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#5050, @jahrlin) - Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5226, @SgtCoDFish)
- Increases Venafi Issuer timeout for retrieving a certificate increased to 60 seconds, up from 10. This gives TPP instances longer to complete their workflows and make the certificate available before cert-manager times out and re-queues the request. (#5247, @hawksight)
- Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @davidsbond for finding the issue! (#5032, @SgtCoDFish)
-
cmctl
andkubectl cert-manager
now report their actual versions instead of "canary", fixing issue #5020 (#5286, @jetstack-bot)
Other (Cleanup or Flake)
- Adds
make update-all
as a convenience target to run before raising a MR (#5251, @SgtCoDFish) - Adds make targets for updating and verifying CRDs and codegen (#5242, @SgtCoDFish)
- Bump cert-manager's version of Go to 1.18 (#5152, @lucacome)
- Bumps distroless base images to their latest versions (#5222, @irbekrm)
- CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in
experimental.cert-manager.io/private-key-secret-name
doesn't exist. (#5332, @jetstack-bot) - Only require python for the one test we have which needs it, rather than requiring it globally (#5245, @SgtCoDFish)
- Remove deprecated field
securityContext.enabled
from helm chart (#4721, @Dean-Coakley) - Removes support for networking/v1beta Ingresses in ingress-shim. (#5250, @irbekrm)
- Reverts additional check for ServiceMonitor (#5202, @irbekrm)
- Updates Kubernetes libraries to
v0.24.2
. (#5097, @lucacome) - Updates warning message that is thrown if issuance fails because private key does not match spec, but private key regeneration is disabled. See https://github.com/cert-manager/cert-manager/pull/5199. (#5199, @irbekrm)
Configuration
-
If you want to rebase/retry this MR, click this checkbox.
This MR has been generated by Renovate Bot.